Cisco
Login
Search
Software Secure Access
Activity Manage

Cisco Secure Access Help Manage Destination Lists Control Access to Custom URLs Examples

Last updated: Aug 07, 2025

Examples

The following examples show a single URL and what you can and cannot enter to have a block of that URL enforced. The list of URLs is built out from a single example, modifying a single parameter to show whether the URL "//a.co/cx/15195/100/setup_1848x19m.exe?z=z&super=bad&test=yes" would be blocked based on a URL.

In these examples, the protocol is stripped as it would be by the interface.

If you wanted to block this URL a.co/cx/15195/100/setup_1848x19m.exe?z=z&super=bad&test=yes the following logic would apply.

URL Blocked? Reason
a.co/cx/15195/100/setup_1848x19m.exe?z=z&super=bad&test=yes Yes The full URL is entered.
a.co/cx/15195/100/setup_1848x19m.exe?super=bad&test=yes&z=z Yes "&" is a delimiter; therefore, it's added as another level to the URL after the word "yes".
a.co/cx/15195/100/setup_1848x19m.exe?super=bad&test=yes No "?" is a delimiter so the URL still would begin at the "yes" and any enforcement would happen after that.
a.co/cx/15195/100/setup_1848x19m.exe? No Given the "?", it still means only characters after "yes" will be enforced; therefore, a direct download of this file would be allowed.
a.co/cx/15195/100/setup_1848x19m.exe No We will still only block any paths after "yes"; therefore, a direct download of this file would be allowed.

If you want to block this URL g.com/a/d, the following logic applies.

Note: These are only examples of destination list entries that would and would not block the URL g.com/a/d.

URL Blocked? Reason
g.com/a/d Yes The full URL is entered.
g.com/a/d?g Yes Delimits the path with the query "g" but still just a delimiter thus this will be enforced.
g.com/a/d? Yes URL + the "?" delimiter.
g.com/a/ No The URL ends with "/d" so anything before "/d" would not be enforced.
g.com/a/?a No The URL ends with "/d" so anything before "/d" would not be enforced.

If you want to block this URL d.co/cx/15195/100, the following applies.

Note: These are only examples of which destination list entries would block the URL "d.co/cx/15195/100" and which would not.

URL Enforced Reason
d.co/cx/15195/100 Yes The full URL is entered.
d.co/cx/15195/100/? Yes Everything after the delimited "/" after 100 would be blocked.
d.co/cx/15195/100/ Yes Everything after the delimited "/" after 100 would be blocked.
d.co/cx/15195/100 Yes Everything after the delimiting "/" after 100 would be blocked.
d.co/cx/15195/10 No The delimiter is only for paths after the "/" so any changes to the final path of /100/ would be ignored.
d.co/cx/15195/1000 No The delimiter is only for paths after the "/" so any changes to the final path of /100/ would be ignored.
d.co/cx/15195/ No The delimiter is only for paths after the "/" so any changes to the final path of /100/ would be ignored.
d.co/cx/15195 No The delimiter is only for paths after the "/" so any changes to the final path of /100/ would be ignored.

Note: There are normalization rules that most administrators never encounter. If you find that a URL is not being properly filtered and you've confirmed that all criteria are met, see the URL Normalization RFC.

Previous topic Reporting for Blocked URLs Next topic Troubleshooting